package com.neuedu.jdbc;

import com.neuedu.jdbc.util.DBUtils;

import java.sql.*;

/**
 * @author 金山
 * 项目：jdbc
 * site: https://blog.fulfill.com.cn
 * 描述  SQl注入的问题
 * @data 2024/11/811:22
 */
public class SqlInjection {


    public static void main(String[] args) {

        // int empno = 2002;
        // String ename = "测试注入'";
        // String job = "job";
        // insert(empno,ename,job);

        String id = "456789 or 1=1";
        // selectById(id);
        selectByIdByPreparedStatement(id);


    }

    public  static void  insert(int empno,String ename,String job){

        Connection conn = null;
        Statement stmt = null;
        try {
            conn = DBUtils.getConnection();

            //3 创建statement
            stmt = conn.createStatement();

            //4 执行sql语句  结果集 rs
            StringBuffer sql  = new StringBuffer();
            sql.append("INSERT INTO `emp` (  `empno`, `ename`, `job`, `mgr`, `hiredate`, `sal`, `comm`,  `deptno`) " );
            sql.append("VALUES ( " );
            sql.append("   "+empno+", '"+ename+"','"+job+"',7369,'2024-11-07',9999,null,10   " );
            sql.append(") " );


            System.out.println(sql);
            int count = stmt.executeUpdate(sql.toString());

            System.out.println("插入影响的行数 count = " + count);

        } catch ( SQLException e) {
            throw new RuntimeException(e);
        }finally {
            //   6 关闭资源
            DBUtils.close(conn,stmt,null);
        }

    }



    public static  void  selectById(String empno){

        Connection conn = null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            conn = DBUtils.getConnection();

            //3 创建statement
            stmt = conn.createStatement();

            //4 执行sql语句  结果集 rs
            String sql = "SELECT   `empno`, `ename`, `job`,  `mgr`, `hiredate`, `sal`, `comm`, `deptno` FROM `emp` where empno =  "+empno;
            System.out.println("sql = " + sql);
            rs = stmt.executeQuery(sql);

            //5 解析 结果集
            if(rs.next()){ //第一行
                System.out.println("登录成功");
            }else{
                System.out.println("登录失败");
            }





        } catch ( SQLException e) {
            throw new RuntimeException(e);
        }finally {
            //   6 关闭资源
            DBUtils.close(conn,stmt,rs);
        }





    }


    /**
     * 预编译
     * @param empno
     */
    public static  void  selectByIdByPreparedStatement(String empno){

        Connection conn = null;
        PreparedStatement stmt = null;
        ResultSet rs = null;
        try {
            conn = DBUtils.getConnection();



            //4 执行sql语句  结果集 rs
            String sql = "SELECT   `empno`, `ename`, `job`,  `mgr`, `hiredate`, `sal`, `comm`, `deptno` FROM `emp` where empno = ?  ";
            System.out.println("sql = " + sql);
            //3 创建statement
            stmt = conn.prepareStatement(sql);


            //设置问号的内容 绑定变量
            stmt.setString(1,empno);


            // rs = stmt.executeQuery(sql) ;
            rs = stmt.executeQuery();

            //5 解析 结果集
            if(rs.next()){ //第一行
                System.out.println("登录成功");
            }else{
                System.out.println("登录失败");
            }

        } catch ( SQLException e) {
            throw new RuntimeException(e);
        }finally {
            //   6 关闭资源
            DBUtils.close(conn,stmt,rs);
        }



    }



}
